MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1b41547f2fd4a9706c60b58d264e37481ae25a8a0fc8dd2ac3599f4d309f297. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1b41547f2fd4a9706c60b58d264e37481ae25a8a0fc8dd2ac3599f4d309f297
SHA3-384 hash: f75d0e8414f16d91303d18c5c6a044e5ce00ec10f821c1a1bf5003e77cc69a0a2a892b3cfa96bd29271f6a1519f733fc
SHA1 hash: eba0f9e321b4ecc1c8e860c75c2e814aaee65c0f
MD5 hash: 81978579e2d3d5535ef741e673fd4c40
humanhash: uncle-potato-october-football
File name:81978579e2d3d5535ef741e673fd4c40.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:429'568 bytes
First seen:2021-04-01 13:00:24 UTC
Last seen:2021-04-01 14:22:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 58720068c13c39e43ba1cc0727dc6386 (2 x RedLineStealer)
ssdeep 6144:gJfGTI1uG9azWS/YyTiohCjSMR4YpkuZBLyRy64j8x2t:gJO0uG98p/x+o++YpVKRyv8Mt
Threatray 399 similar samples on MalwareBazaar
TLSH 7394DF0173D0C032D09354768A25C7B06EBE75762A769ACFBBD80EBD5F242D19B3670A
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/130832/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.6671.22723.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/662254
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1b41547f2fd4a9706c60b58d264e37481ae25a8a0fc8dd2ac3599f4d309f297/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-04-01 13:01:14 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2g2bkr7s7vfjobwgbnmnezhdosa24jniud6i3uvmgwm7juyj6klq._file
Verdict:
malicious
Similar samples:
0f1153b16dce8a116e175a92d04d463ecc113b79cf1a5991462a320924e0e2df
RedLineStealer
310339bcc4c81ba2d5bd40e292b4855cf8c7d6345db36d5ab65c9bcea4dad35a
RedLineStealer
35aac4dc4ab85c75852a93a573b654f275e6c1dcaae69cc3176c05271a097750
RedLineStealer
763523c1b4a8e9aa4583af76c6706ccac9df72244a3b8fc70ac81f864bcf7ed9
RedLineStealer
807e65fc407c3d9f024b10e8cfb20c2e10ad067aa217fe97ec1b075c24dbc936
RedLineStealer
97059b74b76a880fae49ca4bfa64953cb694e60195a387018440066e5c0cf853
RedLineStealer
a3948163bc436fde2808c4c76fccc90d515f3d754fc5851f0eb1e8b40a539e2b
RedLineStealer
b6255ccb6a0c4843452827ec54f6f041a3285f3042668d1ba4f7593f733d420f
RedLineStealer
ce07dc9b67f4e91fb0254421599c3344f60732b99c24d39d4f2a5b8e93da56ef
RedLineStealer
dac8697e24dbe30b33cc0de5ac7584319b134ad59d11aeffdecb861a6868a8a3
RedLineStealer
+ 389 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210401-9khwc1v29n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
1eb3872054f372434b179355e42bc7538eb0b0b085713fded10278030a0427f9
MD5 hash:
78a535422e2f6ee38d23303739633df4
SHA1 hash:
a79eb74129aaa63ca4175bad850510667e876255
Link:
https://www.unpac.me/results/36431045-38cc-4c29-8602-750762fdd14c/
SH256 hash:
bb2a4bfac1be5895eea6fb0ca45e67062d72a9ce769b30baacd5856b6a111630
MD5 hash:
71705e85f8748ca46e31537e62e19037
SHA1 hash:
4f2b3ee4cf0809016c4a9f6958ec752067d838cd
Link:
https://www.unpac.me/results/36431045-38cc-4c29-8602-750762fdd14c/
SH256 hash:
aee30f6be99da18f96404bae8684bb9f3cbe490e73bd30d5f407151653c41848
MD5 hash:
c61ed3bf3203c28408a6b58a338b0b07
SHA1 hash:
1eafb1e9511440ba36ba0f05d3fe0f076805fd75
Link:
https://www.unpac.me/results/36431045-38cc-4c29-8602-750762fdd14c/
SH256 hash:
d1b41547f2fd4a9706c60b58d264e37481ae25a8a0fc8dd2ac3599f4d309f297
MD5 hash:
81978579e2d3d5535ef741e673fd4c40
SHA1 hash:
eba0f9e321b4ecc1c8e860c75c2e814aaee65c0f
Link:
https://www.unpac.me/results/36431045-38cc-4c29-8602-750762fdd14c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1b41547f2fd4a9706c60b58d264e37481ae25a8a0fc8dd2ac3599f4d309f297

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d1b41547f2fd4a9706c60b58d264e37481ae25a8a0fc8dd2ac3599f4d309f297

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1100000/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/130832/

Comments